CVE-2026-22356

Jetpack CRM <= 6.7.0 - Unauthenticated Local File Inclusion

highImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

8.1

CVSS Score

8.1

CVSS Score

high

Severity

6.7.1

Patched in

10d

Time to patch

Description

The Jetpack CRM plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 6.7.0. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<=6.7.0

PublishedFebruary 16, 2026

Last updatedFebruary 25, 2026

Affected pluginzero-bs-crm

What Changed in the Fix

Changes introduced in v6.7.1

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v6.7.0

Browse source Download .zip

Patched v6.7.1

Browse source Download .zip

Research Plan

Unverified

# Exploitation Research Plan - CVE-2026-22356 (Jetpack CRM LFI) ## 1. Vulnerability Summary The Jetpack CRM plugin for WordPress (versions <= 6.7.0) contains an unauthenticated Local File Inclusion (LFI) vulnerability. The issue arises from insufficient validation of user-supplied parameters (likel…

Show full research plan

Exploitation Research Plan - CVE-2026-22356 (Jetpack CRM LFI)

1. Vulnerability Summary

The Jetpack CRM plugin for WordPress (versions <= 6.7.0) contains an unauthenticated Local File Inclusion (LFI) vulnerability. The issue arises from insufficient validation of user-supplied parameters (likely subtab, tab, or page_name) passed to file inclusion functions such as jpcrm_load_admin_page() and module-specific load_admin_page() implementations. This allows attackers to traverse directories and include arbitrary PHP files, leading to sensitive data exposure (e.g., wp-config.php) or remote code execution via file upload wrappers.

2. Attack Vector Analysis

Endpoint: admin-ajax.php or a direct frontend listener in ZeroBSCRM.Core.php.
Action (AJAX): zbs_settings_load_tab or zbs_get_page (inferred from typical Jetpack CRM routing).
Vulnerable Parameters: subtab (via modules/mailpoet/admin/settings/router.page.php) or page_name (via includes/ZeroBSCRM.AdminPages.php).
Authentication: Unauthenticated (wp_ajax_nopriv_ hook).
Preconditions: The MailPoet module or a specific CRM page must be accessible. The AC:H

Research Findings

Static analysis — not yet PoC-verified

Summary

Jetpack CRM <= 6.7.0 is vulnerable to unauthenticated Local File Inclusion (LFI) because user-supplied parameters like 'subtab' are used to construct file paths for inclusion without proper validation. Attackers can use directory traversal sequences to include arbitrary PHP files from the server, potentially leading to remote code execution if they can upload files or find sensitive local files ending in '.page.php'.

Vulnerable Code

// includes/ZeroBSCRM.AdminPages.php line 29
function jpcrm_load_admin_page( $page_name, $alt_path = ZEROBSCRM_PATH ) {

	$target_file = $alt_path . "admin/$page_name.page.php";

	if ( file_exists( $target_file ) ) {

		require_once $target_file;

	} else {

		echo zeroBSCRM_UI2_messageHTML( 'warning', '', __( 'Could not load the requested page.', 'zero-bs-crm' ) );

	}
}

---

// modules/mailpoet/admin/settings/router.page.php line 17
function jpcrm_settings_page_html_mailpoet() {
	
	global $zbs;
	$page = $_GET['tab'];
	$current_tab = 'main';

	if ( isset( $_GET['subtab'] ) ) {
		$current_tab = sanitize_text_field ( $_GET['subtab'] );
	}

	$zbs->modules->mailpoet->load_admin_page("settings/{$current_tab}");
	call_user_func( "Automattic\JetpackCRM\jpcrm_settings_page_html_{$page}_{$current_tab}");
}

Security Fix

--- a/modules/mailpoet/admin/settings/router.page.php
+++ b/modules/mailpoet/admin/settings/router.page.php
@@ -21,6 +21,11 @@
 	if ( isset( $_GET['subtab'] ) ) {
 		$current_tab = sanitize_text_field ( $_GET['subtab'] );
 	}
+
+	// Whitelist allowed subtabs to prevent directory traversal
+	$allowed_subtabs = array( 'main', 'sync', 'settings' );
+	if ( ! in_array( $current_tab, $allowed_subtabs ) ) {
+		$current_tab = 'main';
+	}
 
 	$zbs->modules->mailpoet->load_admin_page("settings/{$current_tab}");

Exploit Outline

The exploit involves targeting a CRM navigation endpoint (typically via admin-ajax.php or a front-end listener) that routes settings requests. An attacker provides the 'tab' parameter (e.g., 'mailpoet') and manipulates the 'subtab' parameter with directory traversal sequences (e.g., '../../../../tmp/exploit'). Because the plugin lacks authentication checks on specific settings routing logic and uses the 'subtab' value to construct a 'require_once' path, the attacker can include and execute local PHP files. If the attacker can upload a file (e.g., an image that is actually a PHP script) that ends with '.page.php' or find an existing file with that extension, they can achieve arbitrary code execution.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/66d642e0-c78f-4e50-89d9-03940fa0e34f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database